IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Zurich hit with £2.27 million data loss fine

The FSA has given Zurich UK a hefty fine following a data loss incident in 2008.

Zurich

Zurich Insurance's UK branch has been fined 2.275 million by the Financial Services Authority (FSA) following the loss of 46,000 customers' data.

Bank account and credit card information was lost by Zurich, along with identity details and information on insured assets and security arrangements.

The incident occurred in 2008 when the company's UK branch outsourced the processing of some of its general insurance customer data to Zurich Insurance Company South Africa (Zurich SA).

An unencrypted back-up tape was misplaced by Zurich SA during a standard transfer to a data centre.

Zurich UK did not learn about the loss until a year later as there were not any adequate reporting lines in place, the FSA said.

The regulatory body concluded Zurich UK did not have effective systems and controls in place to manage the risks involved in protecting customer data in relation to the outsourcing deal.

Furthermore, Zurich did not have sufficient protection in place to ensure lost data would not be used for financial crime, the FSA claimed.

"Zurich UK let its customers down badly," said Margaret Cole, the FSA's director of enforcement and financial crime.

"It failed to oversee the outsourcing arrangement effectively and did not have full control over the data being processed by Zurich SA. To make matters worse, Zurich UK was oblivious to the data loss incident until a year later."

Zurich's UK chief executive (CEO), Stephen Lewis, said: "This incident was unacceptable. It served to remind us of the need to strive continually to improve the ways in which we seek to protect customers' data."

He also confirmed Zurich UK would be hiring an information security officer to ensure protection measures are effective.

The fine is the biggest financial penalty levied on a single organisation ever in the UK for a data security issue.

Had the firm not agreed to settle at an early stage of the investigation, the fine would have been 3.25 million.

To date, Zurich has not seen any evidence to suggest the lost data was compromised or used for criminal activities.

A sufficient deterrent?

Earlier this year, the Information Commissioner's Office (ICO) made Zurich's Lewis sign an undertaking to ensure whenever back-up tapes were in transit, the right data security procedures, such as encryption, would be in place.

This was before the ICO was able to fine up to 500,000 for data breaches, but Stewart Room, partner in Field Fisher Waterhouse's Privacy and Information Law Group, claimed this case highlighted the limited powers of the ICO.

"It does throw into relief, yet again, the adequacy of the 500,000 penalty for the information commissioner, where the FSA has already shown that it needs something that is at least four-and-a-half times as large," Room told IT PRO.

"This case demonstrates once again that what we need is a more unified approach to security but within regulation."

Room, who is also a director of the Cyber Security Challenge UK, called into question how far the FSA fine will go in acting as a deterrent.

"I don't believe that this fine will act as a wake up call to the financial services industry. Nor do I believe that the financial services industry will resolve all its problems now that this fine has been published," he added.

"I think the FSA will need to scale up fines considerably before it becomes such a deterrent effect."

Room also suggested Zurich's reputation will not be irrevocably damaged by the data security failings.

Featured Resources

The state of Salesforce: Future of business

Three articles that look forward into the changing state of Salesforce and the future of business

Free Download

The mighty struggle to migrate SAP to the cloud may be over

A simplified and unified approach to delivering Enterprise Transformation in the cloud

Free Download

The business value of the transformative mainframe

Modernising on the mainframe

Free Download

The Total Economic Impact™ Of IBM FlashSystem

Cost savings and business benefits enabled by FlashSystem

Free Download

Recommended

ICO crackdown on AI recruitment part of three-year vision to save businesses £100 million
data protection

ICO crackdown on AI recruitment part of three-year vision to save businesses £100 million

14 Jul 2022
The public sector will no longer face eye-watering data breach fines, ICO confirms
public sector

The public sector will no longer face eye-watering data breach fines, ICO confirms

1 Jul 2022
MoJ faces £17.5m GDPR fine over subject access request backlog
data protection

MoJ faces £17.5m GDPR fine over subject access request backlog

20 Jan 2022
Cabinet Office fined £500,000 for New Year Honours data leak
data breaches

Cabinet Office fined £500,000 for New Year Honours data leak

3 Dec 2021

Most Popular

How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

29 Jul 2022
Samsung proposes 11 Texas semiconductor plants worth $191 billion
Hardware

Samsung proposes 11 Texas semiconductor plants worth $191 billion

21 Jul 2022
Should you take your password manager off the internet?
Sponsored

Should you take your password manager off the internet?

28 Jul 2022